Quick fix for Zimbra Zero Day exploit

Quick fix for Zimbra Zero Day exploit

Submitted by Marcel Gagne on Tue, 12/17/2013 - 16:36

There's nothing like a good zero day exploit that targets one of your busy servers to get your attention. When the fix involves taking down a server with a few hundred email accounts, you start to panic just a little. It's not always (read 'never') comvinient to just take down a production server, especially if you need to take a couple of large backups, then run an update that takes a little time.

This exploit targets Zimbra servers and it came to my attention via my friend Jason Kendall, a security specialist and master of keeping me on the edge of terror. Okay, I wasn't that scared, but while Zimbra did have a fix, it involved a large distribution package, and the time needed to take down the service, take backups, run the upgrade, and get things rolling again. I've done a few Zimbra upgrades and I don't do them lightly. They can be seriously time consuming.

The exploit in question takes advantage of the SOAP service running on port 7071 where the admin logs in. The config file is removed and the LDAP password is extracted, esssentiallyy providing access to every account on the system. Since I have root access to my email servers, I could use SSH to log in and add rules that would allow only my IP into the system. My office Internet access is through Rogers and though it isn't technically a fixed IP, it rarely changes. All I needed was to find out my IP address in order to create the rules. One way to do this is to visit a site like speedtest.net which not only measures the speed of your Internet connection, but also tells you your IP address.

Armed with this information, you would do the following.

Start by allowing in your IP address to port 7071, like this.

iptables -A INPUT -s MY.IP.ADD.RESS -p tcp --dport 7071 -j ACCEPT

Next, block everything else on that port.

iptables -A INPUT -p tcp --dport 7071 -j DROP

That's it! Eventually, you will definitely want to apply the update from Zimbra, but this will buy you a little time.

Until next time . . . As usual, if you wish to comment, please do so on Google Plus in the comment form below, or over here on Facebook and add me to your circles or friend list if you haven't already done so; oh yeah, if you're on Twitter, follow me there. Also, make sure you sign up for the mailing list over here so that you're always on top of what you want to be on top of. And a final request, please share this article with your favorite Linux and FOSS group or news site; I would sincerely appreciate it. Until next time . . .